Hello Eclipse users,
SonarLint already has the ability to synchronize issue suppressions, i.e. issues resolved as “Won’t Fix” or “False Positive” in SonarQube (you can learn more about SonarQube issues here 1). This way, you can focus only on relevant issues only in your IDE. Last year we also added the ability for SonarLint to fetch and display in your IDE complex injection vulnerabilities detected by SonarQube during your project analysis.
As you know, SonarQube (Developer Edition and above) supports branch analysis, and you can for example resolve an issue as “Won’t Fix” on a specific project branch. The caveat is that SonarLint, until today, wasn’t aware of the project branch you are actually working on, so it was only able to sync issues from your project main branch in SonarQube.
Over the last couple months, our team has been working to introduce branch awareness in SonarLint and today we have released it for Eclipse (in addition to VSCode, which was released in January). This means SonarLint is now able to adapt the issue synchronization to the Git branch you’re actually working with; and you’ve nothing to configure on your side, except making sure that your local project is bound to a SonarQube project.
On the limitations side, please be aware that, although SonarQube also supports Pull Request analysis, SonarLint is currently only syncing with a configured branch, and not will pull requests (we may introduce support for sync with pull request analysis later).
This release also brings plenty of new functionality and improvements, here are a couple of highlights:
- In addition to XXE (XML External Entity) vulnerability, which is already supported, the Java analyzer now detects additional kinds of unsecure XML processing
- We improved the performance of Python analysis by using serialized Typeshed symbols.
Here are the release notes if you’d like to learn more.
Enjoy SonarLint in Eclipse!